CVE-2026-25905 identifies a vulnerability in the 'mcp-run-python' project, specifically in the way Python code executed via 'runPython' or 'runPythonAsync' functions interacts with the JavaScript (JS) environment. The core issue is improper isolation or compartmentalization (CWE-653), where Python code is not sandboxed and can leverage Pyodide APIs to modify the JS environment. Pyodide is a WebAssembly-based Python runtime that allows Python code to run in browsers or JS environments. Because the Python code can manipulate the JS environment, an attacker who can inject or execute Python code can hijack the MCP server, potentially leading to unauthorized control or manipulation of server-side processes. This can facilitate malicious activities such as MCP tool shadowing, where attackers stealthily replace or interfere with legitimate tools. The vulnerability has a CVSS 3.1 base score of 5.8, reflecting a medium severity level. The attack vector is network-based (AV:N), but the attack complexity is high (AC:H), meaning exploitation requires specific conditions or knowledge. No privileges are required (PR:N), but user interaction is necessary (UI:R), such as tricking a user into executing malicious Python code. The scope is changed (S:C), indicating that exploitation affects components beyond the vulnerable component itself. The project is archived and unlikely to receive fixes, leaving users exposed unless they implement their own mitigations or migrate. No known exploits have been reported in the wild, but the risk remains due to the lack of maintenance. This vulnerability is particularly relevant for environments that integrate Python and JavaScript, especially where Pyodide is used without strict sandboxing or isolation controls.

For European organizations, the impact of CVE-2026-25905 can be significant in contexts where the 'mcp-run-python' project or similar Python-JavaScript integration tools are used. Successful exploitation could lead to unauthorized control over MCP servers, enabling attackers to manipulate server operations, exfiltrate sensitive data, or disrupt services. This could affect software development environments, cloud services, or web applications relying on embedded Python execution. The compromised integrity and availability of affected systems could disrupt business operations, especially in sectors like finance, healthcare, and critical infrastructure that rely heavily on secure and stable IT environments. Additionally, the ability to perform tool shadowing could allow attackers to persist undetected, complicating incident response and increasing the risk of data breaches or sabotage. Since the project is archived and unpatched, organizations continuing to use it face prolonged exposure. The medium CVSS score reflects moderate risk, but the changed scope and potential for server hijacking elevate the threat in high-value environments.

Given that 'mcp-run-python' is archived and unlikely to receive patches, European organizations should prioritize migrating away from this project to actively maintained alternatives that enforce strict isolation between Python and JavaScript environments. Where migration is not immediately feasible, organizations should implement strict sandboxing to isolate Python execution contexts, preventing Python code from accessing or modifying the JS environment or underlying system resources. Employing WebAssembly security best practices, such as limiting Pyodide API exposure and using content security policies (CSP) to restrict script execution, can reduce attack surface. Additionally, organizations should implement robust input validation and user interaction controls to prevent injection of malicious Python code. Monitoring and logging Python and JS interactions can help detect anomalous behavior indicative of exploitation attempts. Regular security assessments and code reviews focusing on integration points between Python and JavaScript are recommended. Finally, educating developers and users about the risks of executing untrusted Python code in these environments is essential to reduce user interaction-based exploitation.